Table of Contents
Linux Admin
Fix Old CentOS Repos
Maintainece update not supported from 2020/11/30 ⇒ you must config repos to new mirror for Fixing yum error:
yum list Failed to set locale, defaulting to C Loaded plugins: fastestmirror Determining fastest mirrors YumRepo Error: All mirror URLs are not using ftp, http[s] or file. Eg. Invalid release/repo/arch combination/ removing mirrorlist with no valid mirrors: /var/cache/yum/x86_64/6/base/mirrorlist.txt
Steps:
- Step1: Update /etc/yum.repos.d/CentOS-Base.repo
[base] name=CentOS-$releasever - Base #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra baseurl=http://vault.centos.org/6.10/os/$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 #released updates [updates] name=CentOS-$releasever - Updates #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra baseurl=http://vault.centos.org/6.10/updates/$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 #additional packages that may be useful [extras] name=CentOS-$releasever - Extras #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras&infra=$infra baseurl=http://vault.centos.org/6.10/extras/$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 #additional packages that extend functionality of existing packages [centosplus] name=CentOS-$releasever - Plus #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra baseurl=http://vault.centos.org/6.10/centosplus/$basearch/ gpgcheck=1 enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 #contrib - packages by Centos Users [contrib] name=CentOS-$releasever - Contrib #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib&infra=$infra baseurl=http://vault.centos.org/6.10/contrib/$basearch/ gpgcheck=1 enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
- Step2:
yum clean all
Install software
Install rpm package
mount /dev/cdrom /mnt/cdrom/ cd /mnt/cdrom/CentOS rpm -i mc-4.6.1a-35.el5.i386.rpm
Manage packages with yum - Yellowdog Updater Modified
It can automatically perform system updates, including dependancy analysis and obsolete processing based on “repository” metadata. It can also perform installation of new packages, removal of old packages and perform queries on the installed and/or available packages among many other commands/services (see below). yum is similar to other high level package managers like apt-get and smart.
- yum grouplist
=> Installed Groups: DNS Name Server Dialup Networking Support Editors FTP Server ....... Available Groups: Administration Tools Authoring and Publishing Base Beagle Cluster Storage Clustering Development Libraries Development Tools
- yum groupinfo
yum groupinfo "Development Libraries"
- How to install gcc:
# yum list | grep gcc => output: gcc.i386 4.1.2-44.el5 base libgcc.i386 4.1.2-44.el5 base compat-gcc-34.i386 3.4.6-4 base ....... # yum install gcc.i386
- check package installed or available:
yum list | grep postfix postfix.x86_64 2:2.6.6-6.el6_5 @updates postfix-perl-scripts.x86_64 2:2.6.6-6.el6_5 updates # @updates => Installed # update => Available
- yum info php-mysql
Loading mirror speeds from cached hostfile * base: mirrors.digipower.vn * elrepo: ftp.osuosl.org * extras: mirrors.digipower.vn * updates: mirrors.digipower.vn Installed Packages Name : php-mysql
Manage Packages with Apt
apt-cache - performs a variety of operations on APT's package cache. apt-cache does not manipulate the state of the system but does provide operations to search and generate interesting output from the package metadata.
dpkg - package manager for Debian
upgrades all installed packages
apt-get upgrade
Search Packages:
- Find packages that include <search_term>
apt-cache search <search_term>
For example:
dpkg -l *chkconfig*
output:
Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-====================================-=======================-=======================-============================================================================= un chkconfig <none> <none> (no description available)
- Find packages whose names contain <search_term>. Similar to apt-cache search, but also shows whether a package is installed on your system by marking it with ii (installed) and un (not installed).
dpkg -l *<search_term>*
- Shows the description of package <package_name> and other relevant information including version, size, dependencies and conflicts
apt-cache show <package_name>
- Shows the description of package
dpkg --print-avail <package_name>
- List files in package <package_name>
dpkg -L <package_name>
Admin User and Group
Admin user
- Add user normal
useradd anhvc
- Set password for user anhvc
passwd anhvc
- Remove normal user:
userdel anhvc
- Remove user and home directory itself and the user´s mail spool.
userdel -r anhvc
- Add System User:
#Create User and not create Home Directory useradd -M dovecot #Lock User not allow login usermod -L dovecot
Admin group
- Change name of group
groupmod -n accounting accountant
- Print all groups which user is in
groups root
output:
root : root bin daemon sys adm disk wheel
- Get All users in group
lid -g <groupname>
Modify Group of user
- Add user anhvc with group ztbackup
useradd anhvc -g ztbackup
- Add an Existing User to a Group
usermod -a -G <groupname> username
- Change a User’s Primary Group
usermod -g <groupname> username
- Add a User to Multiple Groups:
usermod -a -G ftp,admins,othergroup <username>
- Remove User in Group
gpasswd -d <username> <groupname>
Chown
- Change the ownership of the file to the group “accounting”:
chown :accounting filename
- Command format:
chown user:group filename
Passwd file
refer: http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html
cat /etc/passwd | grep ftp
output:
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin (username:ftp userid:14 group:50 => ftp Real name: FTP User home directory: /var/ftp Shell: /sbin/nologin )
Information of user profile
cat ~/.bash_profile cat ~/.bashrc => login profile for user cat ~/.bash_history => history commands of user
sudo config
- Prepare for writing /etc/sudoers
chmod +w /etc/sudoers
- Add user to run sudo as root add below line to /etc/sudoers:
anhvc ALL=(ALL) NOPASSWD: ALL
⇒ Allow user anhvc run sudo with no password. And below is config allow user anhvc sudo with password:
anhvc ALL=(ALL) ALL
- Remove below config to allow run sudo command not require tty
#Defaults requiretty
- Remove property write:
chmod -w /etc/sudoers
umask
umask(The user file-creation mode mask) is use to determine the file permission for newly created files
- normal user: The default umask 0002 ⇒ output:
- default directory permissions are 775(rwxrwxr-x)
- and default file permissions are 664(rw-rw-r–)
- root user: The default umask is 0022 result ⇒ output:
- default directory permissions are 755 (rwxr-xr-x). How to calculate directory permission for 022 umaks (root user):
Default Permissions: 777 Subtract umask value: 022 (-) Allowed Permissions: 755
- and default file permissions are 644 (rw-r–r–). How to calculate file permission for 022 umaks (root user):
Default Permissions: 666 Subtract umask value: 022 (-) Allowed Permissions: 644
- How to restore default mod when we chmod entire the directory with another mod? We only copy the file/directory to new file/directory → The mod will be automatic create base on the umask config
System startup and shutdown
System startup config
OS startup config files
+ /etc/inittab id:3:initdefault: => id:runlevels:action:command + /etc/rc.local => startup script when linux start
Understand run-level scripts in config files
Understanding run-level scripts:A software package that has a service to start at boot time (or when the system changes run levels)
- Can add a script to the /etc/init.d directory. That script can then be linked to an appropriate run-level directory and either be started or stopped (to start or stop the service).
- step1: create my_daemon and copy to /etc/init.d. Below is format of my_daemon:
# chkconfig: 345 82 28 # description: Does something pretty cool - you really # have to see it to believe it! # processname: my_daemon
- step2: run script:
chkconfig --add my_daemon
- All of the programs within the /etc/rcX.d directories (where X is replaced by a run-level number) are symbolic links, usually to a file in /etc/init.d.
- For each run level, a script beginning with K stops the service, whereas a script beginning with S starts the service.
Managing xinetd services
There are a bunch of services, particularly Internet services, that are not handled by separate run-level scripts. Instead, a single run-level script called xinetd 1) is run to handle incoming requests for these services ⇒ xinetd is sometimes referred to as the super-server.Below is script start,stop:
/etc/inid.d/xinetd
Manage services in linux
- Start httpd service:
service httpd start
- Stop httpd service:
service httpd stop
- Config autostart httpd when OS boot:
chkconfig httpd on
And in debian:
update-rc.d httpd enable
- Get all services running
service --status-all | grep running
output:
acpid (pid 3039) is running... atd (pid 3318) is running... auditd (pid 2690) is running... automount (pid 3015) is running... Avahi daemon is running Avahi DNS daemon is not running hcid (pid 2892) is running... sdpd (pid 2896) is running... capi not installed - No such file or directory (2) crond (pid 3289) is running... cupsd (pid 3072) is running... .............................
Host and network config
Change hostname
- Redhat / CentOS / Fedora: Edit /etc/sysconfig/network
hostname="GWServer01-YN01"
And run below script to save active hostname:
hostname GWServer01-YN01 /etc/sysconfig/network
- Debian / Ubuntu: Edit /etc/hostname file, enter new hostname:
GWServer01-YN01
And run script below to change live hostname:
hostname GWServer01-YN01
Edit login banner
telnet session
/etc/issue.net /etc/issue
ssh session
/etc/ssh/sshd_config
Network config
- Redhat: Edit /etc/sysconfig/network-scripts/ifcfg-eth0:
DEVICE=eth0 ONBOOT=yes BOOTPROTO=static IPADDR=120.138.64.2 NETMASK=255.255.255.192 HWADDR=00:1A:64:56:12:10 GATEWAY=120.138.64.1
And run command below to active config:
/sbin/service network restart
- [debian/ubuntu]:Edit /etc/network/interfaces
auto eth0 iface eth0 inet static address 123.30.133.150 gateway 123.30.133.129 netmask 255.255.255.128 network 123.30.133.128#custom broadcast 123.30.133.255#custom
And run command below to active config:
/etc/init.d/networking restart
Check network card
/sbin/ifconfig -a /sbin/arp -a
Check hardware network
sudo /usr/sbin/dmidecode -t sudo /usr/sbin/dmidecode -t baseboard
output:
Handle 0x002B, DMI type 10, 6 bytes On Board Device Information Type: Ethernet Status: Enabled Description: Onboard Ethernet Handle 0x006A, DMI type 41, 11 bytes Onboard Device Reference Designation: Onboard LAN Type: Ethernet Status: Enabled Type Instance: 1 Bus Address: 0000:00:19.0
Config Route
Static route
- Redhat
route add -net 10.60.3.0/24 gw 10.30.41.1 route add -net 192.168.2.0/24 gw 192.168.2.2 route add default gw 120.138.64.1
- Debian
up route add -net 10.60.3.0/24 gw 10.30.41.1 dev eth1 up route add -net 192.168.2.0/24 gw 192.168.2.2 dev eth1
Dynamic route
- Redhat: update route in /etc/sysconfig/network-scripts/route-eth1
cat > /etc/sysconfig/network-scripts/route-eth1 10.199.44.0/24 via 10.30.31.1 10.199.51.5/32 via 10.30.31.1 10.199.3.0/24 via 10.30.31.1 10.199.50.213/32 via 10.30.31.1 10.30.4.0/27 via 10.30.31.1 118.102.5.136/32 via 10.30.31.1 192.168.64.0/24 via 10.30.31.1 10.30.4.9/32 via 10.30.31.1
Or run script below to add route:
echo '10.30.15.16/32 via 10.30.31.1' >> /etc/sysconfig/network-scripts/route-eth1 route add -host 10.30.15.16 gw 10.30.31.1
And active configure:
/sbin/service network restart
- Debian: Edit /etc/network/interfaces
up route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.11 down route del -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.11
And active configure:
/etc/init.d/networking restart
DNS
[/etc/resolv.conf]
nameserver 202.96.209.5
DHCP server
- config: /etc/dhcp.conf
- client: go dhclient ⇒ get dynamic IP
Security
Iptables
start,stop iptables
service iptables start service iptables stop service iptables restart service iptables status chkconfig --level 345 iptables on chkconfig --list iptables
Iptable config
- /etc/sysconfig/iptables
- Create simle iptable which open ssh, http and ICMP:
*filter :INPUT ACCEPT [396:30624] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [216:23216] -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT #eth0 INPUT here -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -p icmp -j ACCEPT -A INPUT -i eth0 -j DROP #eth1 INPUT here -A INPUT -i eth1 -p icmp -j ACCEPT -A INPUT -i eth1 -j DROP COMMIT
log system: messages,secure,cron
syslogd, klogd
These daemons provide centralized logging in linux.
- The configuration file: /etc/syslog.conf
- script controls: /etc/rc.d/init.d/syslog
/var/log
- /var/log/dmesg: This log file is written upon system boot. It contains messages from the kernel that were raised during the boot process. You can also view them using the command:
#dmesg
- /var/log/messages: This is the standard system log file, which contains messages from all your system software, non-kernel boot issues, and messages that go to 'dmesg'.
- /var/log/maillog: This log file contains messages and errors from your sendmail.
- /var/log/secure: This log file contains messages and errors from security related systems such as login, tcp_wrappers, and xinetd. This log file is very useful in detecting and investigating network abuse.
Scheduling System Tasks
Check log all crontabs on linux system:
cat /var/log/cron
Scheduling System Tasks with at
/etc/at.deny echo "/sbin/init 0" | at now +1 minutes atq job 12 at 2009-08-17 20:06
Scheduling System Tasks with crond(crontab)
to sheduleing with crond, the crond was configured auto-restart when linux start:
chkconfig crond on
Availabe System Crontabs
All available crontabs:
crontab cron.deny cron.hourly cron.daily cron.weekly cron.monthly cron.d
basic contab commands
- crontab -e: create or edit crontab configuration file
- crontab -l: display content of crontab configuration file
- crontab -r: delete crontab configuration file
crontab configuration file base on linux user
- cat /var/spool/cron/root
*/30 * * * * /usr/sbin/ntpdate pool.ntp.org */5 * * * * /usr/local/bin/iostat.sh 14 2 * * * /etc/webmin/cron/tempdelete.pl 30 4 * * 1 /root/scripts/kpiweekly.sh >> /var/log/kpiweekly.log 0 5 1 * * /root/scripts/kpimonthly.sh >> /var/log/kpimonthly.log
- structure of crontab
minute(s) hour(s) day(s) month(s) weekday(s) command(s) * * * * * command to be executed - - - - - | | | | | | | | | +----- day of week (0 - 6) (Sunday=0) | | | +------- month (1 - 12) | | +--------- day of month (1 - 31) | +----------- hour (0 - 23) +------------- min (0 - 59) 25 18 * * * /etc/webmin/cron/tempdelete.pl
Create 1 simple crontab
create crontab for user anhvc to backup file /home/anhvc/data.txt at 21h45 every day
- step1: create scrip backup
#!/bin/sh file_name=`date +%H%M%S_%d%m%y` cp data.txt $file_name.txt
- step2: Create crontab configuration file
crontab -e 45 21 * * * /home/anhvc/backupdata.sh
- step3: restart crontab service
sudo /etc/init.d/crond restart
- step4: check content of crontab configuration file
crontab -l => 45 21 * * * /home/anhvc/backupdata.sh
- step5: check output of contab
ls /home/anhvc => 214501_170809.txt
Create contab to update date/time of system
- Step1: Install ntpdate
yum install ntpdate
- Step2: Create contab content:
*/30 * * * * /usr/sbin/ntpdate pool.ntp.org
logrotate
Config run logrotate everydays in crond
logrotate was run everydays with crond default config /etc/cron.daily/logrotate below:
#!/bin/sh /usr/sbin/logrotate /etc/logrotate.conf >/dev/null 2>&1 EXITVALUE=$? if [ $EXITVALUE != 0 ]; then /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]" fi exit 0
Config logrotate for apache logs
in /etc/logrotate.d/httpd
/var/log/httpd/*log { missingok notifempty sharedscripts delaycompress postrotate /sbin/service httpd reload > /dev/null 2>/dev/null || true endscript }
⇒ we can chage the directory which contain log files /var/log/httpd/*log
Config logrotate for nginx logs
refer: http://article.gmane.org/gmane.comp.web.nginx.english/586
- Step1: Config ngix create pid file in conf/nginx.conf:
worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; pid /var/run/nginx.pid;
- Step2: Restart nginx and check content of /var/log/nginx.pid. If OK, go to next step
- Step3: create logrotate config for nginx /etc/logrotate.d/nginx with content below:
/usr/local/nginx/logs/*log { #rotate the logfile(s) daily daily # adds extension like YYYYMMDD instead of simply adding a number dateext # If log file is missing, go on to next one without issuing an error msg missingok # Save logfiles for the last 52 days rotate 52 # Old versions of log files are compressed with gzip compress # Postpone compression of the previous log file to the next rotation cycle delaycompress # Do not rotate the log if it is empty notifempty # create mode owner group create 640 root nobody sharedscripts #after logfile is rotated and nginx.pid exists, send the USR1 signal postrotate [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid` endscript }
⇒ root:nobody(user: root, group: nobody) permissions might need further revision in your own system, as well as the logs and pid file location
- Step4: run to check nginx logrotate config
logrotate --force /etc/logrotate.d/nginx
Optimize OS parameters(sysctl)
dynamic config(will restore when OS restart)
- run some basic dynamic config
ulimit -n 102400 ulimit -c 1024000 echo 1073741824 >/proc/sys/kernel/shmmax echo 200000 260000 300000 > /proc/sys/net/ipv4/tcp_mem
- check config:
ulimit -a
⇒ output:
core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 256651 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 1024 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited
Increase number open files /etc/sysctl.conf
Check number open files
- Method1:
cat /proc/sys/fs/file-nr
⇒output:
960 0 65536
⇒ 960 files is opened and fs.file-max = 65536
- Method2: Check sysctl
sysctl -a | grep file-max
output:
fs.file-max = 65536
Steps to config max number open files:
- Step1: Edit config in /etc/sysctl.conf to increase max number of ulimit open file in Linux
fs.file-max = 65536
- Step2: add config into /etc/security/limits.conf
* soft nproc 65535 * hard nproc 65535 * soft nofile 65535 * hard nofile 65535
- Step3: reboot
- Step4: recheck after config:
ulimit -n
output:
65535
Check config
ulimit -a sysctl -a => Display all values currently available. sysctl kernel => for kernel sysctl fs => for file system sysctl net => for net system